@tuent/sentinel 0.1.3 → 0.1.5

package/dist/chunk-B6S2PBS4.js

@@ -0,0 +1,47 @@
+// src/setup/policyDiscovery.ts
+import { existsSync, statSync } from "fs";
+import { resolve, join, dirname } from "path";
+function isTrustedPolicyStat(stats, processUid) {
+  if ((stats.mode & 2) !== 0) {
+    return { trusted: false, reason: "file is world-writable" };
+  }
+  if (processUid !== void 0 && stats.uid !== processUid) {
+    return {
+      trusted: false,
+      reason: `file is owned by uid ${stats.uid}, not the current user (uid ${processUid})`
+    };
+  }
+  return { trusted: true, reason: null };
+}
+function isTrustedOnDisk(candidate) {
+  if (process.platform === "win32") return true;
+  let stats;
+  try {
+    stats = statSync(candidate);
+  } catch {
+    return false;
+  }
+  const processUid = typeof process.getuid === "function" ? process.getuid() : void 0;
+  const verdict = isTrustedPolicyStat({ uid: stats.uid, mode: stats.mode }, processUid);
+  if (!verdict.trusted) {
+    console.warn(`[Sentinel] Ignoring untrusted policy file ${candidate}: ${verdict.reason}`);
+  }
+  return verdict.trusted;
+}
+function discoverPolicy(startDir, home) {
+  let dir = resolve(startDir);
+  const homeAbs = resolve(home);
+  while (true) {
+    const candidate = join(dir, ".sentinel.yaml");
+    if (existsSync(candidate) && isTrustedOnDisk(candidate)) return candidate;
+    if (dir === homeAbs) return null;
+    const parent = dirname(dir);
+    if (parent === dir) return null;
+    dir = parent;
+  }
+}
+
+export {
+  discoverPolicy
+};
+//# sourceMappingURL=chunk-B6S2PBS4.js.map

package/dist/{chunk-JTR2E7RD.js → chunk-M5EEVMLU.js}

@@ -1,15 +1,62 @@
-// src/repoSensitivityMap.ts
+import {
+  DEFAULT_DANGEROUS_SCHEMES,
+  DEFAULT_FORBIDDEN_PATTERNS,
+  DEFAULT_NETWORK_DENYLIST_CIDRS,
+  checkSaneNumber,
+  suggestKey
+} from "./chunk-SKE74CYZ.js";
+
+// src/repoSensitivityOverlay.ts
 import * as fs from "fs/promises";
 import * as path from "path";
 import * as os from "os";
-var DEFAULT_MAP_PATH = path.join(os.homedir(), ".dahlia", "repo-sensitivity.json");
-async function saveMap(map, customPath) {
-  const target = customPath ?? DEFAULT_MAP_PATH;
+var VALID_DECISION_TYPES = /* @__PURE__ */ new Set(["reject", "accept", "override"]);
+var OVERLAY_TOP_KEYS = ["version", "repoRoot", "decisions", "updatedAt"];
+var DECISION_KEYS = [
+  "path",
+  "decision",
+  "reason",
+  "sensitivity",
+  "category",
+  "decidedAt"
+];
+function sanitizeSensitivityScore(fieldLabel, value, throwError) {
+  const violation = checkSaneNumber(value, {});
+  if (violation) {
+    throwError(`${fieldLabel} ${violation} \u2014 sensitivity must be a finite number in [0, 1]`);
+  }
+  const n = value;
+  if (n < 0 || n > 1) {
+    const clamped = Math.min(1, Math.max(0, n));
+    console.warn(
+      `[Sentinel] ${fieldLabel} is ${n}, outside [0, 1] \u2014 clamped to ${clamped}. Fix the file to silence this warning.`
+    );
+    return clamped;
+  }
+  return n;
+}
+function rejectUnknownJsonKeys(section, obj, allowed, throwError) {
+  for (const key of Object.keys(obj)) {
+    if (!allowed.includes(key)) {
+      const suggestion = suggestKey(key, allowed);
+      throwError(
+        `unknown key "${key}" in ${section}.` + (suggestion ? ` Did you mean "${suggestion}"?` : "") + ` Valid keys: ${allowed.join(", ")}`
+      );
+    }
+  }
+}
+var DEFAULT_OVERLAY_PATH = path.join(
+  os.homedir(),
+  ".dahlia",
+  "repo-sensitivity.review.json"
+);
+async function saveOverlay(overlay, customPath) {
+  const target = customPath ?? DEFAULT_OVERLAY_PATH;
   const parent = path.dirname(target);
   const tempPath = target + ".tmp";
   try {
     await fs.mkdir(parent, { recursive: true });
-    await fs.writeFile(tempPath, JSON.stringify(map, null, 2), "utf-8");
+    await fs.writeFile(tempPath, JSON.stringify(overlay, null, 2), "utf-8");
     await fs.rename(tempPath, target);
   } catch (err) {
     try {
@@ -17,13 +64,16 @@ async function saveMap(map, customPath) {
     } catch {
     }
     const message = err instanceof Error ? err.message : String(err);
-    throw new Error(`RepoSensitivityMap.saveMap: failed to save to ${target}: ${message}`, {
+    throw new Error(`SensitivityOverlay.saveOverlay: failed to save to ${target}: ${message}`, {
       cause: err
     });
   }
 }
-async function loadMap(customPath) {
-  const target = customPath ?? DEFAULT_MAP_PATH;
+async function loadOverlay(customPath) {
+  const target = customPath ?? DEFAULT_OVERLAY_PATH;
+  const failLoad = (message) => {
+    throw new Error(`SensitivityOverlay.loadOverlay: file at ${target} is invalid: ${message}`);
+  };
   let raw;
   try {
     raw = await fs.readFile(target, "utf-8");
@@ -38,21 +88,56 @@ async function loadMap(customPath) {
     parsed = JSON.parse(raw);
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
-    throw new Error(`RepoSensitivityMap.loadMap: file at ${target} is malformed: ${message}`, {
+    throw new Error(`SensitivityOverlay.loadOverlay: file at ${target} is malformed: ${message}`, {
       cause: err
     });
   }
-  const scannedAt = typeof parsed.scannedAt === "string" ? parsed.scannedAt : "unknown";
+  if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+    failLoad("top level must be a JSON object");
+  }
+  rejectUnknownJsonKeys("overlay", parsed, OVERLAY_TOP_KEYS, failLoad);
+  const version = typeof parsed.version === "string" ? parsed.version : "1.0";
   const repoRoot = typeof parsed.repoRoot === "string" ? parsed.repoRoot : "";
-  const entries = Array.isArray(parsed.entries) ? parsed.entries : [];
-  const summary = parsed.summary && typeof parsed.summary === "object" && !Array.isArray(parsed.summary) ? parsed.summary : computeSummaryFromEntries(entries);
-  return { scannedAt, repoRoot, entries, summary };
+  const rawDecisions = Array.isArray(parsed.decisions) ? parsed.decisions : [];
+  const updatedAt = typeof parsed.updatedAt === "string" ? parsed.updatedAt : "unknown";
+  const decisions = rawDecisions.map((d, i) => {
+    const prefix = `decisions[${i}]`;
+    if (typeof d !== "object" || d === null || Array.isArray(d)) {
+      failLoad(`${prefix} must be an object`);
+    }
+    const entry = d;
+    rejectUnknownJsonKeys(prefix, entry, DECISION_KEYS, failLoad);
+    if (typeof entry.path !== "string" || entry.path.length === 0) {
+      failLoad(`${prefix}.path must be a non-empty string`);
+    }
+    if (typeof entry.decision !== "string" || !VALID_DECISION_TYPES.has(entry.decision)) {
+      failLoad(
+        `${prefix}.decision is "${String(entry.decision)}" \u2014 must be one of: reject, accept, override`
+      );
+    }
+    const result = {
+      path: entry.path,
+      decision: entry.decision,
+      decidedAt: typeof entry.decidedAt === "string" ? entry.decidedAt : "unknown"
+    };
+    if (entry.reason !== void 0) result.reason = String(entry.reason);
+    if (entry.category !== void 0) result.category = String(entry.category);
+    if (entry.sensitivity !== void 0) {
+      result.sensitivity = sanitizeSensitivityScore(
+        `${prefix}.sensitivity`,
+        entry.sensitivity,
+        failLoad
+      );
+    }
+    return result;
+  });
+  return { version, repoRoot, decisions, updatedAt };
 }
-function lookupEntry(map, target, repoRoot) {
+function lookupOverlayDecision(overlay, target, repoRoot) {
   if (!target || typeof target !== "string" || target.trim() === "") {
     return null;
   }
-  const lookupRoot = repoRoot ?? map.repoRoot;
+  const lookupRoot = repoRoot ?? overlay.repoRoot;
   let canonical;
   if (path.isAbsolute(target)) {
     if (!lookupRoot) return null;
@@ -66,48 +151,76 @@ function lookupEntry(map, target, repoRoot) {
     canonical = canonical.slice(2);
   }
   canonical = canonical.replace(/\\/g, "/");
-  for (const entry of map.entries) {
-    if (entry.path === canonical) return entry;
+  for (const decision of overlay.decisions) {
+    if (decision.path === canonical) return decision;
   }
   return null;
 }
-function computeSummaryFromEntries(entries) {
-  const byCategory = {};
-  const byConfidence = {
-    low: 0,
-    medium: 0,
-    high: 0
+function applyOverlay(overlay, decisionPath, decisionType, options) {
+  let canonical = decisionPath;
+  if (canonical.startsWith("./")) {
+    canonical = canonical.slice(2);
+  }
+  canonical = canonical.replace(/\\/g, "/");
+  const newDecision = {
+    path: canonical,
+    decision: decisionType,
+    decidedAt: (/* @__PURE__ */ new Date()).toISOString()
   };
-  for (const entry of entries) {
-    byCategory[entry.category] = (byCategory[entry.category] ?? 0) + 1;
-    if (entry.confidence === "low" || entry.confidence === "medium" || entry.confidence === "high") {
-      byConfidence[entry.confidence]++;
-    }
+  if (options?.reason !== void 0) newDecision.reason = options.reason;
+  if (options?.sensitivity !== void 0) newDecision.sensitivity = options.sensitivity;
+  if (options?.category !== void 0) newDecision.category = options.category;
+  const existing = overlay.decisions.findIndex((d) => d.path === canonical);
+  const decisions = existing >= 0 ? [
+    ...overlay.decisions.slice(0, existing),
+    newDecision,
+    ...overlay.decisions.slice(existing + 1)
+  ] : [...overlay.decisions, newDecision];
+  return {
+    ...overlay,
+    decisions,
+    updatedAt: newDecision.decidedAt
+  };
+}
+function removeOverlayDecision(overlay, decisionPath) {
+  let canonical = decisionPath;
+  if (canonical.startsWith("./")) {
+    canonical = canonical.slice(2);
+  }
+  canonical = canonical.replace(/\\/g, "/");
+  const filtered = overlay.decisions.filter((d) => d.path !== canonical);
+  if (filtered.length === overlay.decisions.length) {
+    return overlay;
   }
   return {
-    totalFiles: entries.length,
-    sensitiveFiles: entries.length,
-    byCategory,
-    byConfidence
+    ...overlay,
+    decisions: filtered,
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function createEmptyOverlay(repoRoot) {
+  return {
+    version: "1.0",
+    repoRoot,
+    decisions: [],
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
   };
 }
 
-// src/repoSensitivityOverlay.ts
+// src/repoSensitivityMap.ts
 import * as fs2 from "fs/promises";
 import * as path2 from "path";
 import * as os2 from "os";
-var DEFAULT_OVERLAY_PATH = path2.join(
-  os2.homedir(),
-  ".dahlia",
-  "repo-sensitivity.review.json"
-);
-async function saveOverlay(overlay, customPath) {
-  const target = customPath ?? DEFAULT_OVERLAY_PATH;
+var MAP_TOP_KEYS = ["scannedAt", "repoRoot", "entries", "summary"];
+var ENTRY_KEYS = ["path", "sensitivity", "category", "confidence", "matchedRules"];
+var DEFAULT_MAP_PATH = path2.join(os2.homedir(), ".dahlia", "repo-sensitivity.json");
+async function saveMap(map, customPath) {
+  const target = customPath ?? DEFAULT_MAP_PATH;
   const parent = path2.dirname(target);
   const tempPath = target + ".tmp";
   try {
     await fs2.mkdir(parent, { recursive: true });
-    await fs2.writeFile(tempPath, JSON.stringify(overlay, null, 2), "utf-8");
+    await fs2.writeFile(tempPath, JSON.stringify(map, null, 2), "utf-8");
     await fs2.rename(tempPath, target);
   } catch (err) {
     try {
@@ -115,13 +228,16 @@ async function saveOverlay(overlay, customPath) {
     } catch {
     }
     const message = err instanceof Error ? err.message : String(err);
-    throw new Error(`SensitivityOverlay.saveOverlay: failed to save to ${target}: ${message}`, {
+    throw new Error(`RepoSensitivityMap.saveMap: failed to save to ${target}: ${message}`, {
       cause: err
     });
   }
 }
-async function loadOverlay(customPath) {
-  const target = customPath ?? DEFAULT_OVERLAY_PATH;
+async function loadMap(customPath) {
+  const target = customPath ?? DEFAULT_MAP_PATH;
+  const failLoad = (message) => {
+    throw new Error(`RepoSensitivityMap.loadMap: file at ${target} is invalid: ${message}`);
+  };
   let raw;
   try {
     raw = await fs2.readFile(target, "utf-8");
@@ -136,21 +252,48 @@ async function loadOverlay(customPath) {
     parsed = JSON.parse(raw);
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
-    throw new Error(`SensitivityOverlay.loadOverlay: file at ${target} is malformed: ${message}`, {
+    throw new Error(`RepoSensitivityMap.loadMap: file at ${target} is malformed: ${message}`, {
       cause: err
     });
   }
-  const version = typeof parsed.version === "string" ? parsed.version : "1.0";
+  if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+    failLoad("top level must be a JSON object");
+  }
+  rejectUnknownJsonKeys("map", parsed, MAP_TOP_KEYS, failLoad);
+  const scannedAt = typeof parsed.scannedAt === "string" ? parsed.scannedAt : "unknown";
   const repoRoot = typeof parsed.repoRoot === "string" ? parsed.repoRoot : "";
-  const decisions = Array.isArray(parsed.decisions) ? parsed.decisions : [];
-  const updatedAt = typeof parsed.updatedAt === "string" ? parsed.updatedAt : "unknown";
-  return { version, repoRoot, decisions, updatedAt };
+  const rawEntries = Array.isArray(parsed.entries) ? parsed.entries : [];
+  const entries = rawEntries.map((e, i) => {
+    const prefix = `entries[${i}]`;
+    if (typeof e !== "object" || e === null || Array.isArray(e)) {
+      failLoad(`${prefix} must be an object`);
+    }
+    const entry = e;
+    rejectUnknownJsonKeys(prefix, entry, ENTRY_KEYS, failLoad);
+    if (typeof entry.path !== "string" || entry.path.length === 0) {
+      failLoad(`${prefix}.path must be a non-empty string`);
+    }
+    const sensitivity = sanitizeSensitivityScore(
+      `${prefix}.sensitivity`,
+      entry.sensitivity,
+      failLoad
+    );
+    return {
+      path: entry.path,
+      sensitivity,
+      category: typeof entry.category === "string" ? entry.category : "general",
+      confidence: entry.confidence === "low" || entry.confidence === "medium" || entry.confidence === "high" ? entry.confidence : "low",
+      matchedRules: Array.isArray(entry.matchedRules) ? entry.matchedRules.map(String) : []
+    };
+  });
+  const summary = parsed.summary && typeof parsed.summary === "object" && !Array.isArray(parsed.summary) ? parsed.summary : computeSummaryFromEntries(entries);
+  return { scannedAt, repoRoot, entries, summary };
 }
-function lookupOverlayDecision(overlay, target, repoRoot) {
+function lookupEntry(map, target, repoRoot) {
   if (!target || typeof target !== "string" || target.trim() === "") {
     return null;
   }
-  const lookupRoot = repoRoot ?? overlay.repoRoot;
+  const lookupRoot = repoRoot ?? map.repoRoot;
   let canonical;
   if (path2.isAbsolute(target)) {
     if (!lookupRoot) return null;
@@ -164,134 +307,32 @@ function lookupOverlayDecision(overlay, target, repoRoot) {
     canonical = canonical.slice(2);
   }
   canonical = canonical.replace(/\\/g, "/");
-  for (const decision of overlay.decisions) {
-    if (decision.path === canonical) return decision;
+  for (const entry of map.entries) {
+    if (entry.path === canonical) return entry;
   }
   return null;
 }
-function applyOverlay(overlay, decisionPath, decisionType, options) {
-  let canonical = decisionPath;
-  if (canonical.startsWith("./")) {
-    canonical = canonical.slice(2);
-  }
-  canonical = canonical.replace(/\\/g, "/");
-  const newDecision = {
-    path: canonical,
-    decision: decisionType,
-    decidedAt: (/* @__PURE__ */ new Date()).toISOString()
-  };
-  if (options?.reason !== void 0) newDecision.reason = options.reason;
-  if (options?.sensitivity !== void 0) newDecision.sensitivity = options.sensitivity;
-  if (options?.category !== void 0) newDecision.category = options.category;
-  const existing = overlay.decisions.findIndex((d) => d.path === canonical);
-  const decisions = existing >= 0 ? [
-    ...overlay.decisions.slice(0, existing),
-    newDecision,
-    ...overlay.decisions.slice(existing + 1)
-  ] : [...overlay.decisions, newDecision];
-  return {
-    ...overlay,
-    decisions,
-    updatedAt: newDecision.decidedAt
+function computeSummaryFromEntries(entries) {
+  const byCategory = {};
+  const byConfidence = {
+    low: 0,
+    medium: 0,
+    high: 0
   };
-}
-function removeOverlayDecision(overlay, decisionPath) {
-  let canonical = decisionPath;
-  if (canonical.startsWith("./")) {
-    canonical = canonical.slice(2);
-  }
-  canonical = canonical.replace(/\\/g, "/");
-  const filtered = overlay.decisions.filter((d) => d.path !== canonical);
-  if (filtered.length === overlay.decisions.length) {
-    return overlay;
+  for (const entry of entries) {
+    byCategory[entry.category] = (byCategory[entry.category] ?? 0) + 1;
+    if (entry.confidence === "low" || entry.confidence === "medium" || entry.confidence === "high") {
+      byConfidence[entry.confidence]++;
+    }
   }
   return {
-    ...overlay,
-    decisions: filtered,
-    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-  };
-}
-function createEmptyOverlay(repoRoot) {
-  return {
-    version: "1.0",
-    repoRoot,
-    decisions: [],
-    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    totalFiles: entries.length,
+    sensitiveFiles: entries.length,
+    byCategory,
+    byConfidence
   };
 }
 
-// src/defaults.ts
-var DEFAULT_FORBIDDEN_PATTERNS = [
-  "**/.env",
-  "**/.env.*",
-  "**/.ssh/**",
-  "**/.aws/**",
-  "**/secrets/**",
-  "**/credentials/**",
-  "**/id_rsa*",
-  "**/id_dsa*",
-  "**/id_ecdsa*",
-  "**/id_ed25519*",
-  "**/*.pem",
-  "**/*.key",
-  "/etc/**",
-  // Sprint 26 FIX 1 (A) — common credential stores. DRIFT: keep in sync with
-  // STARTER_POLICY.forbid.targets in setup/initClaudeCode.ts (template↔defaults
-  // unification tracked in a separate ticket — do not refactor here).
-  "**/.netrc",
-  "**/.npmrc",
-  "**/.git-credentials",
-  "**/.pgpass",
-  "**/.zsh_history",
-  "**/.config/gh/**",
-  "**/.docker/config.json",
-  "**/.gnupg/**",
-  "**/.config/gcloud/**",
-  "**/.kube/**",
-  "**/Library/Keychains/**",
-  // Sprint 26 FIX 1 (B) — Sentinel's own state dir (current path only; the
-  // ~/.dahlia → ~/.sentinel rename is a separate re-arch).
-  "**/.dahlia/**",
-  // Sprint 26 FIX 3 — the live policy file and cc's hook-wiring settings files.
-  // Denies the agent's own tool-writes (policy rewrite / unhook vectors); reads
-  // stay allowed via DEFAULT_POLICY_READ_EXCEPTIONS below. The settings glob
-  // covers project AND user-level (~/.claude/settings*.json) in one pattern.
-  // DRIFT: keep in sync with STARTER_POLICY.forbid.targets in setup/initClaudeCode.ts.
-  "**/.sentinel.yaml",
-  "**/.claude/settings*.json"
-];
-var DEFAULT_POLICY_READ_EXCEPTIONS = [
-  { target: "**/.sentinel.yaml", allowedActions: ["file_read"] },
-  { target: "**/.claude/settings*.json", allowedActions: ["file_read"] }
-];
-function withPolicyReadExceptions(existing) {
-  const merged = existing ? [...existing] : [];
-  for (const exc of DEFAULT_POLICY_READ_EXCEPTIONS) {
-    if (!merged.some((e) => e.target === exc.target)) merged.push(exc);
-  }
-  return merged;
-}
-var DEFAULT_MEDIUM_DISPOSITION = {
-  network_request: "deny"
-};
-var DEFAULT_NETWORK_DENYLIST_CIDRS = [
-  "10.0.0.0/8",
-  // RFC1918 private (Class A)
-  "172.16.0.0/12",
-  // RFC1918 private (Class B)
-  "192.168.0.0/16",
-  // RFC1918 private (Class C)
-  "127.0.0.0/8",
-  // loopback v4
-  "169.254.0.0/16",
-  // link-local v4 (cloud metadata endpoints)
-  "fe80::/10",
-  // link-local v6
-  "::1/128"
-  // loopback v6
-];
-var DEFAULT_DANGEROUS_SCHEMES = ["file:", "data:", "javascript:", "vbscript:"];
-
 // src/roleValidator.ts
 import { normalize as normalize2, basename as basename2, dirname as dirname4, join as join4 } from "path";
 import { lstatSync, readdirSync, realpathSync as realpathSync2 } from "fs";
@@ -648,8 +689,8 @@ function scanBashCommand(command, forbiddenBasenames) {
 }
 function buildPattern(basename3) {
   const escaped = escapeRegex(basename3);
-  if (basename3.startsWith(".") && basename3.length <= 4 && !isAlphaAfterDot(basename3)) {
-    return new RegExp(`\\w${escaped}(?=$|[\\s;&|<>()'"=\\/])`, "i");
+  if (EXTENSION_BASENAMES.has(basename3.toLowerCase())) {
+    return new RegExp(`(?:^|\\w)${escaped}(?=$|[\\s;&|<>()'"=\\/])`, "i");
   }
   if (basename3.startsWith(".")) {
     return new RegExp(`(?:^|[\\s;&|<>()\\/'"=])${escaped}(?=$|[\\s;&|<>()\\/'"=.])`, "i");
@@ -668,17 +709,15 @@ function scanContentForForbiddenBasenames(content, forbiddenBasenames) {
 }
 function buildContentPattern(basename3) {
   const escaped = escapeRegex(basename3);
-  if (basename3.startsWith(".") && basename3.length <= 4 && !isAlphaAfterDot(basename3)) {
-    return new RegExp(`\\w${escaped}(?=$|[\\s;&|<>()'"=\\/])`, "i");
+  if (EXTENSION_BASENAMES.has(basename3.toLowerCase())) {
+    return new RegExp(`(?:^|\\w)${escaped}(?=$|[\\s;&|<>()'"=\\/])`, "i");
   }
   if (basename3.startsWith(".")) {
     return new RegExp(`(?:^|[\\s;&|<>()\\/'"=])${escaped}(?=$|[\\s;&|<>()\\/'"=.])`, "i");
   }
   return new RegExp(`(?<=[/\\\\]\\.?)${escaped}\\b`, "i");
 }
-function isAlphaAfterDot(s) {
-  return /^\.[a-zA-Z]+$/.test(s);
-}
+var EXTENSION_BASENAMES = /* @__PURE__ */ new Set([".pem", ".key"]);
 function escapeRegex(s) {
   return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
@@ -696,8 +735,8 @@ function scanGlobPattern(pattern, forbiddenBasenames) {
 function buildGlobContextPattern(basename3) {
   const escaped = escapeRegex(basename3);
   const GLOB_DELIM = String.raw`\s;&|<>()\\/'"=.*?{}\[\]`;
-  if (basename3.startsWith(".") && basename3.length <= 4 && !isAlphaAfterDot(basename3)) {
-    return new RegExp(`[\\w*]${escaped}(?=$|[${GLOB_DELIM}])`, "i");
+  if (EXTENSION_BASENAMES.has(basename3.toLowerCase())) {
+    return new RegExp(`(?:^|[\\w*])${escaped}(?=$|[${GLOB_DELIM}])`, "i");
   }
   if (basename3.startsWith(".")) {
     return new RegExp(`(?:^|[${GLOB_DELIM}])${escaped}(?=$|[${GLOB_DELIM}])`, "i");
@@ -1868,18 +1907,15 @@ var TargetSensitivityScorer = class {
 };
 
 export {
-  DEFAULT_MAP_PATH,
-  saveMap,
-  loadMap,
   DEFAULT_OVERLAY_PATH,
   saveOverlay,
   loadOverlay,
   applyOverlay,
   removeOverlayDecision,
   createEmptyOverlay,
-  DEFAULT_FORBIDDEN_PATTERNS,
-  withPolicyReadExceptions,
-  DEFAULT_MEDIUM_DISPOSITION,
+  DEFAULT_MAP_PATH,
+  saveMap,
+  loadMap,
   TargetSensitivityScorer,
   tokenizePaths,
   FORBIDDEN_BASENAMES,
@@ -1897,4 +1933,4 @@ export {
   findMatchingException,
   RoleValidator
 };
-//# sourceMappingURL=chunk-JTR2E7RD.js.map
+//# sourceMappingURL=chunk-M5EEVMLU.js.map